Commit 2e401b99 authored by Vincent Pelletier's avatar Vincent Pelletier

ca: Renew CRL at half its life time.

Allowing clients to have a period of CRL validity overlap.
parent 3a00d7bf
...@@ -182,6 +182,10 @@ class CertificateAuthority(object): ...@@ -182,6 +182,10 @@ class CertificateAuthority(object):
crt_life_time * crl_renew_period, crt_life_time * crl_renew_period,
0, 0,
) )
self._crl_renew_time = datetime.timedelta(
crt_life_time * crl_renew_period * .5,
0,
)
self._ca_life_time = datetime.timedelta(crt_life_time * ca_life_period, 0) self._ca_life_time = datetime.timedelta(crt_life_time * ca_life_period, 0)
self._loadCAKeyPairList() self._loadCAKeyPairList()
self._renewCAIfNeeded() self._renewCAIfNeeded()
...@@ -772,7 +776,7 @@ class CertificateAuthority(object): ...@@ -772,7 +776,7 @@ class CertificateAuthority(object):
crl_pem = crl.public_bytes(serialization.Encoding.PEM) crl_pem = crl.public_bytes(serialization.Encoding.PEM)
self._storage.storeCertificateRevocationList( self._storage.storeCertificateRevocationList(
crl_pem, crl_pem,
expiration_date=utils.datetime2timestamp(crl.next_update), expiration_date=utils.datetime2timestamp(now + self._crl_renew_time),
) )
return crl_pem return crl_pem
......
...@@ -491,6 +491,13 @@ class CaucaseTest(unittest.TestCase): ...@@ -491,6 +491,13 @@ class CaucaseTest(unittest.TestCase):
backend=_cryptography_backend, backend=_cryptography_backend,
) )
def _getClientCRL(self):
with open(self._client_crl) as crl_pem_file:
return x509.load_pem_x509_crl(
crl_pem_file.read(),
_cryptography_backend
)
def _skipIfOpenSSLDoesNotSupportIPContraints(self): def _skipIfOpenSSLDoesNotSupportIPContraints(self):
ca_key, ca_crt = self._getCAKeyPair( ca_key, ca_crt = self._getCAKeyPair(
extension_list=[ extension_list=[
...@@ -1095,6 +1102,26 @@ class CaucaseTest(unittest.TestCase): ...@@ -1095,6 +1102,26 @@ class CaucaseTest(unittest.TestCase):
csr_id + ' not found - maybe CSR was rejected ?' csr_id + ' not found - maybe CSR was rejected ?'
], out) ], out)
# Renewing CRL
self._stopServer()
reference_crl = self._getClientCRL()
now = datetime.datetime.utcnow()
# x509 certificates have second-level accuracy
now = now.replace(microsecond=0)
# Sanity check: pre-existing CRL creation should be strictly in the past
self.assertLess(reference_crl.last_update, now)
# Store a dummy, already expired CRL, just to force a new one to be
# generated on next server start.
SQLite3Storage(
self._server_db,
table_prefix='cas',
).storeCertificateRevocationList('', 0)
self._startServer()
self._runClient()
new_crl = self._getClientCRL()
# May be equal due to lack of timestamp accuracy.
self.assertLessEqual(now, new_crl.last_update)
def testBadCSR(self): def testBadCSR(self):
""" """
Submitting an invalid CSR. Submitting an invalid CSR.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment